Page 2
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET KNOWLEDGE BASE http://kb.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTINET COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING AND CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com/ FORTIGUARD CENTER https://fortiguard.com FORTICAST http://forticast.fortinet.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf Friday, August 24, 2018 FortiNAC Appliance Installation Guide 49-830-503677-20180731...
Naming Conventions Before you begin the installation, you need to determine the Product Descriptor for the product you are configuring. • Refer to the page in the information packet that Appliance Identification Details came with your appliance. Locate your Appliance Identifier. •...
Page 5
Table 2: Naming Conventions for Appliance BFN330 Appliance Product Name Product Descriptor Appliance Identifier Label NS500CA Network Control NS500CA FortiNac Server SYS-BFN330-NS500CA and Application Server Table 3: Naming Conventions For Appliance BFN620 Appliance Product Name Product Descriptor Appliance Identifier Label NS2200 Network Control NS2200 FortiNac...
Table 6: Naming Conventions for Appliance BFN630XL Appliance Product Name Product Descriptor Appliance Identifier Label NS700CA Ultra High NS700CA FortiNac Server SYS-BFN630XL-NS700CA Performance Control and Application Server NS2000C Ultra High NS2000CA FortiNac SYS-BFN630XL-NS2000C Performance Control Server Control Server NS2000A Ultra High FortiNac Application Performance Application NS2000CA...
Process Overview The following is a summary of the steps you will use to configure your appliance. Important: The FortiNac appliance set (physical or virtual) are intended forFortinet software, tools and services use only.Fortinetc does not confirm for use any other software, tools or services.
Hardware Setup Hardware Setup Unpack and power up the appliance(s) as described in the Hardware Setup Guide included with the appliance. For some appliances, the power supply fan goes on when the appliance is first plugged in. Note: On some appliances the power switch is located behind the bezel on the front of the machine.
Hardware Setup Figure 2: Appliance BFN620 and BFN620XL Figure 3: Appliance BFN330 Figure 4: Appliance BFN630 and BFN630XL Login To Configuration Wizard - Hardware Setup If you have not done so already, bring up a web browser and navigate to: http://192.168.1.1:8080/configWizard Enter the credentials to gain access to the Configuration...
Page 11
Hardware Setup Note: You will be required to change the Configuration Wizard password during the setup process.
Verify License Key Verify License Key Each appliance requires a unique License Key to run the application. The License Key contains the license count, license time, feature set, and high availability options. Note: When the License Key Validation window opens, if you do not see a license key, contact Customer Support or your sales representative to obtain it.
Assign IP Address Assign IP Address The initial Basic Network screen displays the Product Descriptor and the type of system you are configuring. See Naming Conventions on page 1 Configure the FortiNac appliance and enter the values based on the definitions in Basic Network Window Field Definitions below WARNING: Do not use the following as the Host Name for the appliance: nac,...
Page 14
Assign IP Address Field Definition Subnet IPv4 mask for the appliance you are configuring. A subnet is a logical Mask grouping of connected network devices; the mask defines the boundaries of the subnet. Subnet IPv6 mask for the appliance you are configuring, in CIDR format (e.g., IPv6 Mask in CIDR notation 64).
Configuration Wizard - Passwords Figure 6: Basic Network - Assign IP Address Configuration Wizard - Passwords Password fields appear empty until you modify a password. Passwords can be modified again later by accessing the Change Passwords screen. See Change Passwords After Configuration on page 45 CLI/SSH and Configuration Wizard passwords must be eight characters or longer and contain a lowercase letter, an uppercase letter, a number, and one of the following symbols:...
Page 16
Configuration Wizard - Passwords Prohibited Symbols ' back quote : colon [ open square bracket & ampersand " double quote ] close square bracket + plus ' single quote , comma = equal < less than . period | pipe >...
Connect To The Network Connect To The Network Disconnect the PC from the eth1 port on the appliance. Connect eth0 of the appliance to the network. If you have a FortiNac Control Server and FortiNac Application Server pair, connect eth0 of each appliance to the network. Port eth0 is the management interface for the appliance.
Software Configuration Software Configuration Now that your appliance has been assigned an IP address and is connected to the network, you are ready to configure your NTP, time zone, routes, and DHCP scopes associated with your Layer 2 or Layer 3 network. Use the following buttons and links to navigate through the Configuration Wizard.
Page 21
Password Setup Table 10: Password Field Definitions Field Definition The CLI/SSH Password used to access the appliance (max. 64 characters). You are admin Password required to change this password. The CLI/SSH Password used by Customer Support to access the appliance (max. 64 root Password characters).
Page 22
Password Setup Close the window or tab. Click Next to continue.
Network Type Network Type At this point you must indicate whether you are connecting to a Layer 2 or a Layer 3 network. Important: In a High Availability environment with an L3 configuration where redundant FortiNac servers are on different subnets and do not use a shared IP address, you must select the Layer 3 network option.
Layer 2 Network - VLANs Layer 2 Network - VLANs VLANs are the basic networking construct used to limit network access. When you implement network access control, include at least one non-production VLAN. In the Configuration Wizard this is the Isolation VLAN. If there is the need to separate clients based on state, such as known vs.
Layer 2 Network - Configure VLANS Layer 2 Network - Configure VLANS The configuration views for the Isolation, Registration, Remediation, Dead End, VPN, Authentication and VLAN types are similar. The Access Point Management VLAN configuration view is slightly different in that it contains sections for both authorized and unauthorized clients. Samples of the Isolation and the Access Point Management views are shown below.
Page 26
Layer 2 Network - Configure VLANS Field Definition Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain. For example, for the isolation VLAN use megatech-iso.com or for the registration VLAN use megatech-reg.com. Note: Note: If you use agents for OS X, iOS, and some Linux systems, using a .local suffix in Domain fields may cause communications issues.
Page 28
Layer 2 Network - Configure VLANS Table 13: Layer 2 Access Point Management Field Definitions Field Definition Access Point Management Interface eth1 IP address for the VLAN interface on eth1. This VLAN is used when more than one Interface IP MAC address is detected on a single port.
Page 29
Layer 2 Network - Configure VLANS Field Definition Mask Subnet mask. Lease Pool Starting and ending IP addresses that delineate the range of IP addresses available for Start unauthenticated users on this VLAN. Domain Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain.
Layer 2 Network - Additional Routes Figure 13: Layer 2 Access Point Management Layer 2 Network - Additional Routes If you want to configure additional routes within your Layer 2 network, see Layer 3 Network - Additional Routes on page 40 for steps. Configuration is the same for both network types. After you have configured additional routes, click Summary.
Layer 3 Network - Route Scopes Figure 14: Summary Of Layer 2 Network VLAN Configuration Layer 3 Network - Route Scopes If you are configuring the appliance in a routed environment, as opposed to a Layer 2 environment, use the Layer 3 selection on the Network Type window. See Network Type on page 20.
Page 32
Layer 3 Network - Route Scopes Note: The Configuration Wizard dynamically writes all files configured on the FortiNac Control Server to the FortiNac Application Server. No direct configuration of the FortiNac Application Server is required after the initial basic network setup is completed. Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_".
Layer 3 Network - Configure Route Scopes Layer 3 Network - Configure Route Scopes The configuration views for the Isolation, Registration, Remediation, Dead End, VPN and Authentication scopes are similar. The Access Point Management scopes configuration view contains sections for both Production and Isolation clients. Sample Isolation and Access Point Management views are shown below.
Page 34
Layer 3 Network - Configure Route Scopes Field Definition This field is optional and does not need to be configured if the appliance and all of the managed devices are on the same subnet. If the appliance and any managed devices are on different subnets, enter the IP address of the routing device.
Page 36
Layer 3 Network - Configure Route Scopes Figure 16: Add/Modify Layer 3 Scopes And Lease Pools Figure 17: Layer 3 Scopes - Add Lease Pool IP Range Table 16: Layer 3 Access Point Management Field Definitions Field Definition Access Point Management Interface eth1 IP address for the VLAN interface on eth1.
Page 37
Layer 3 Network - Configure Route Scopes Field Definition Mask Subnet mask. Access Point Management Scopes User specified name for the scope. Can be associated with a location, such as Label Building-B, or a function within the organization, such as Accounting. Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_".
Page 38
Layer 3 Network - Configure Route Scopes Field Definition Time in seconds that an IP address in this domain is available for use. When this time Lease Time has elapsed the user is served a new IP address. The recommended lease time for Access Point Management/Production is 3600 seconds.
Layer 3 Network - Configure Route Scopes Importing Route Scopes To import route scopes from a csv file, use one of the following formats: Single Route Format ScopeLabel,Default Gateway,Mask,Domain,Lease Pool “start address-end address,start address-end address” Access Point Management Route Format ScopeLabel,Production Default Gateway,Production Mask,Production Domain,Production Lease Pool “start address- end address,start address-end address”,Isolation Default...
Layer 3 Network - Additional Routes Layer 3 Network - Additional Routes When a client connects on eth1 from a remote network, the return packet uses the eth0 Default Gateway unless a network route is added. It is recommended that you configure your network so that outbound and inbound routing uses the same interface, such as eth1.
Results: Layer 2/Layer3 Networks Or Control Manager Results: Layer 2/Layer3 Networks Or Control Manager Review the Results. Errors are noted at the top of the Results page. Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.
Page 46
Results: Layer 2/Layer3 Networks Or Control Manager Figure 23: Results Window...
Log In To The Admin User Interface Log In To The Admin User Interface Note: The User Name and Password for the Admin User Interface are root/YAMS. These credentials are not changed in the Configuration Wizard. You will be prompted to change your credentials when you log in the first time.
Change Passwords After Configuration Change Passwords After Configuration Configuration files are overwritten whenever you run the Configuration Wizard. It is strongly recommended, therefore, that you do not make changes outside of the Configuration Wizard. Making all changes from within the Configuration Wizard prevents you from having custom configuration files that can be accidentally overwritten.